In this issue

Apache httpd 2.0.50 was released on 1st July 2004
and is now the latest version of the httpd 2.0 server. The
previous version was 2.0.49, released on the 19th
March 2004. See what was
new in Apache httpd 2.0.49.

Security issues

A memory leak in parsing of HTTP headers which can be
triggered remotely may allow a denial of service attack due to
excessive memory consumption.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2004-0493
to this issue.

A buffer overflow in the mod_ssl FakeBasicAuth code could
be exploited by an attacker using a (trusted) client
certificate with a subject DN field which exceeds 6K in
length.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2004-0488
to this issue.

New features

The following new features have been added in httpd
2.0.50:

inclusion of new forensic logging module,
mod_log_forensic

mod_headers: the
RequestHeader directive can be used
conditionally

mod_alias: warnings will be issued at
startup if aliases which overlap are configured

Bugs fixed

The following bugs have been fixed in httpd 2.0.50:

core: a VirtualHost specified by hostname will be used for
all addresses which that hostname resolves to; log files can exceed
the 2Gb size limit on some 32-bit platforms (BZ#13511); correctly NUL-terminate long request lines
before logging (BZ#28376); fix crash with no Listen
directives

O'Reilly Open Source Convention 2004

Less than a month to go before the annual O'Reilly Open
Source Convention opens its doors in Portland, Oregon. This
year the conference runs from July 26-30 with many tracks of
interest to Apache users.

ApacheCon USA 2004 Call For Papers

Got a great idea for a presentation that would interest ApacheCon
attendees? The conference planners recently released a Call for
Papers for the upcoming conference in Las Vegas in November this
year. Proposals are due in just a few weeks.

If the prospect of early Christmas shopping in Vegas doesn't
appeal how about submitting a proposal to "OSCOM.4 with
ApacheTracks" in Zurich in October?

In this section we highlight some of the articles on the web
that are of interest to Apache users.

Rich Bowen publishes more often than Apache Week, and this time he's
helping users choose between Apache 1.3 and 2.0 in another "A
Day in the Life of #Apache".

Fortunately the first step in the SecurityFocus article "Securing Apache
2: Step-by-Step" isn't to turn off your server. Instead, this
short guide gives a good set of tips and tricks including how to
get Apache 2 running in a chroot jail.